The future is uncertain and complex. Technology moves so fast and flexibly that new vulnerabilities are exposed at every turn. Businesses are desperate to expand and globalise, but that means emerging markets with less manageable threats. To the security people, crisis managers and business continuity providers falls the task of harnessing the chaos, so businesses can turn it to opportunity and productivity.

The Global Challenge

Emerging markets tend to bring the most challenging security: Central America, Russia, South Asia, Africa. Demographics change and markets morph and spread like fire. Today’s new communities are less defined by borders, more by the lines of communication between them. More mergers and acquisitions mean clashing cultures and technologies. Just as your group access and authorisation technology takes shape, along comes a proprietary interloper system - refusing all attempts at friendship.

Offshoring and outsourcing: your screening and business continuity processes have always included your key suppliers, but suddenly you’re depending on companies and staff in places you’ve never seen, and on their onward supply chains. Our enemies too are globalising: organised crime, terrorism, pandemic, to name but three. If there’s money there for us, there’s money there for criminals. As we expand, others use terrorism to stop us. As we spread, flu viruses spread among us, and we may find ourselves relying on staff hired rapidly in places well away from our production or planned recovery sites.

Finally, regulation and standards. Our industry struggles to understand what regulators expect of business continuity planning, crisis management, security, and data protection. Is it about protecting people, national infrastructures, the economy? If my continuity is designed around BS25999, my information security around ISOs17799/27000, and I underwrite it with BS31100 risk assessment, am I safe from the regulator quoting Basel II, SOXA, and the ANSI/ASIS Organisational Resilience Standard?

The Response

So, how do we construct sustainable resilience in such markets? Are we always to be a step behind, waiting for international agreements? BCM ISO22301 (draft due March 2010) is a case in point: much needed but much sooner so than it can be delivered, while new rules and threats blow in with every breeze. June 2009’s Continuity Magazine suggested an unwanted gap developing between BCM and Crisis Management. BCI itself distinguishes between risk management and business continuity; risk management is described as focused on risks to core business objectives, and BCM on incident management outside the core competencies of the business. How do we make sense of these dichotomies and respond flexibly and speedily with one voice?

Reassuringly, the answer is where it always was: in sound risk management. From last month’s ASIS Security Management Magazine: “…increasingly in an era of terror, reliability is defined by resilience.” Whether or not we see a BCM ISO or any other new global resilience standards published soon, regulation and standards will increasingly join up. The demand is at least partly driven by businesses’ need to respond satisfactorily to regulators.

Our industry must increasingly move ahead of that demand. Distinctions between security, crisis management, and business continuity are blurring. Companies and consultancies that succeed will be those who understand the whole portfolio end to end. That is not to say a single part cannot be provided on demand: it certainly can, often in response to a client facing an urgent problem, but the product should be delivered in a context of the client’s complete, long term requirements.

BCM and Security are underwritten by understanding of threat and consequent management of risk. Providers should be able to identify and analyse intelligence and trends deep within the framework of the client’s business imperatives; to investigate using the latest technologies, such as deep web crawling, behavioural analysis, and the linking of physical security to logical security to the investigator’s desk; to construct staff and customer screening processes to suit the client’s global dynamic; to train, because if we leave a BCP, a crisis management programme, or a security process on our client’s desk without the means to train to it and test it, we will have failed.

Also, if we are to serve clients who are globalising, we need new integration skills. Global security technology is a great enabler and money saver, but it can be the opposite on both counts. And such technology seldom stands alone any more; it needs integration with travel programmes, HR data bases, and data protection policies.

Does this mean global missions can only be served by globally sized companies? Far from it. A medium sized firm, with end to end capability and staff who have worked around the globe, will often outperform a vast concern that relies on a network of disparate local providers. The recovery sites or manned guarding officers may be found locally, but the selection and the responses need to accord with the client’s wider profile. Managing BCM and Security risk is an increasingly holistic process involving a close relationship between service provider and client.

So, can we harness the chaos in 2010? Yes, if we can move ahead of it and be as broad-thinking and as responsive to change as the businesses we serve.